How can I use an alternate address with Exchange Server?

Use an alternate address with Microsoft Exchange Server to send a message from a secondary proxy SMTP address as though the message came directly from that email address.

Q: How can I use an alternate address with Exchange Server?

A: A common request in Exchange shops is for users to be able to send a message from a secondary proxy SMTP address or additional mailbox as though the message came directly from that email address. Support personnel who monitor a secondary alias or mailbox (e.g., support@domain.com, webmaster@domain.com) often need this capability. In addition, a merger of two enterprises might require users to send from different Exchange organizations for which no trust has been configured.

Because Microsoft Office Outlook uses Messaging API (MAPI) as the message store provider, you can’t simply change the From address to reflect a different source. A limitation within MAPI prevents a profile from accessing multiple Exchange servers at the provider level. You can assign Send On Behalf Of permissions in Outlook, but doing so exposes the message’s original source address because the recipient will see the text “From User A sent on behalf of User B.” Fortunately, several options exist.

If the secondary address has its own object in Active Directory (AD), such as a mailbox or distribution group, then permissions can be assigned on that object to give a user or group Send As permissions. This action can only be performed by an administrator at the server; you can’t grant these permissions from the Outlook client. To assign Send As permissions in Exchange Server 2003, perform the following steps:

c. Open the object properties (Mailbox, Group, or Mail-Enabled Contact) on which you want to assign Send As permissions, and select the Security tab.

d. Click the Advanced button.

e. On the Permissions tab, click Add and select the object or user to grant Send As permissions to.

f. In the Select User, Computer, or Group dialog box, enter the user to assign permissions to, and click OK.

g. In the Permissions Entry dialog box that opens, the value in the Apply onto drop-down box should be This object only, as in Figure 1. Select the Allow check box for the Send As permissions, as Figure 1 shows.

For Exchange Server 2007 RTM, Send As permissions are administered through PowerShell. The cmdlet to invoke these permissions is Add-ADPermission. The parameters include the identity to apply the rights against, the user to grant the rights to, and the type of extended rights (which in this case is “Send As”). As an example, you’d use the following command to assign Send As rights to user William on Kevin Miller’s mailbox:

This command returns confirmation of the rights assignment in a table. Exchange 2007 SP1 adds this functionality to the Exchange Management Console (EMC). In the EMC, selecting the Recipient Configuration object will show a list of recipients in the middle pane. Select the recipient against which Send As permissions are to be applied. In the Action pane on the right, select the new option Manage Send As Permission. When the wizard opens, select Add and choose the user or group to grant Send As permissions to and click OK. Clicking Manage will return a summary of the configuration performed, including the equivalent PowerShell command.

If the secondary address has its own mailbox, use Outlook to connect to the primary mailbox address as normal and use Outlook Web Access (OWA) via a Web browser to monitor the secondary mailbox. No conflict is created if a user has multiple interfaces, such as OWA and Outlook, to access different mailboxes.

Use a third-party or custom application that lets you use secondary addresses as the authoritative From address for outgoing messages. Products such as Ivasoft’s ChooseFrom (http://www.ivasoft.biz/choosefrom.shtml) are implemented as transport event sinks in Exchange 2003 and Exchange 2000 Server or as custom transport agents in Exchange 2007, allowing users to select an authorized secondary SMTP address to use in the From field. The recipient will receive the message as though it were sent directly from the secondary address. This solution is appealing for enterprises, because it’s managed on the server side without any custom client configuration.

Allow POP3 or IMAP4 access to the Exchange server for the secondary supported mailboxes. Users can then use Outlook for their primary mailboxes and Outlook Express (or Windows Mail on Windows Vista) to access their secondary mailboxes. For example, a user could use Outlook for his or her main mailbox communication and use the secondary (non-Outlook) POP3 or IMAP4 client to access another mailbox, such as HelpDesk. Alternatively, the POP3 or IMAP4 account access can be added to the same Outlook profile that’s used to access the mailbox with MAPI. The user must then change the account to send from whenever trying to represent the secondary mailbox (e.g., HelpDesk).

If a user has a secondary proxy SMTP address assigned to his or her AD account, you can create a POP3 or IMAP4 account in the user’s profile even though the Exchange server might not be configured for Internet client protocols. This client-side method lets the user send from an address using an alternate Internet email account, even though that account doesn’t retrieve inbound messages.

For a user monitoring the Help desk with a secondary proxy address of support@domain.com, adding a POP3 account for the Help desk lets the user send from the SMTP address support@domain.com. By default, Exchange will resolve the secondary address to the user’s AD account, and internal MAPI messages will show the primary SMTP address. However, messages destined for the Internet will reflect the address assigned to the POP3 account. This configuration is useful for answering external queries from addresses such as support, webmaster, hostmaster, postmaster, or info@domain.com without revealing a specific user associated with those secondary proxy addresses.

To add a “dummy” POP3 account to an existing Microsoft Office Outlook 2003 profile, from the Outlook client logged on to the user’s Exchange mailbox, select E-mail Accounts from the Tools menu. Select View or change existing e-mail accounts in the E-mail Accounts window that opens. This option lets you access the list of accounts in the profile, which should include the Exchange account. Click Add to add a new account, ensure that the POP3 radio button is selected under Server Type, and click Next to continue. You can enter your dummy POP3 account information in the window that opens. Figure 2 shows the address support@mojavemedia.com for the user called Help Desk, which is also a secondary proxy address for the user William.

To add a dummy POP3 account in Microsoft Office Outlook 2007, select Account Settings from the Tools menu. Select the E-mail tab in the window that opens, and click New. Ensure that the radio button is selected for the service option that includes POP3, then click Next. Rather than using the default Auto Account Setup, select the check box at the bottom of the window to manually configure server settings, then click Next. Select Internet E-mail in the window that opens, and click Next. In the next window that opens, the Your Name field should contain the account name (e.g., Help Desk). The name of the POP3 mail server isn’t especially important, because we won’t actually be receiving email for this account—I typically enter localhost just to fill the field. The outbound SMTP mail server typically should be the Exchange server that hosts the user’s mailbox, although your company might have a different outbound SMTP server to use. In my example in Figure 2, this server is mail.mojavemedia.com.

To be able to send messages using the Exchange server, the user must be authenticated. Click More Settings and select the Outgoing Server tab, as Figure 3 shows. Add the AD account details for the user to automatically authenticate for outbound email from this account. If the user isn’t configured to authenticate to the Exchange server or outbound SMTP server, then external messages sent from the proxy address will bounce back, declaring that address to be unable to relay.

The next step prevents Outlook from trying to retrieve POP3 email for this fake account. In Outlook 2007 or 2003, select Send/Receive, Send/Receive Settings, Define Send/Receive Groups from the Tools menu. In the Send/Receive Groups window that opens, ensure that All Accounts is selected and click Edit. In the next window that opens, select the POP3 account and clear the Receive mail items check box, as Figure 4 shows. Click OK to confirm the change. Now, when the user wants to send email outside of the company and show the mail as being directly from a secondary address, such as support@mojavemedia.com, he or she can select an alternate account in the new message form, as Figure 5 shows.

The ability for users to send messages that appear to have come from a secondary address is quite useful. Perhaps future versions of Exchange and Outlook will provide a server-side solution that eliminates client-side hacks such as the Internet account option that I suggest using. Third-party companies have solved this problem on the server side, so Microsoft can undoubtedly do so as well.

Discuss this Article 5

DEBBI (not verified)

on Mar 12, 2009

Isn't this a security issue? Anyone with permission to "send as" could potentially send harmful or negative emails to others. How do you trace the message back to the actual sender if multiple people have the same "send as" permissions?